Honey, honey

As I mentioned in my last article, the concept of "hacking back" or otherwise gaining an advantage over attackers has been gaining in popularity recently. It's not a new concept though. In the late 1990s, an Internet mailing list began that eventually spawned the Honeynet Project, an international group dedicated to learning more about hackers by "baiting" them with an attractive looking fake network and observing their actions. Such bait is called a honeypot or honeynet because of the old adage that you can trap more flies with honey than with vinegar.Then as now, the idea of "baiting" or "trapping" hackers was controversial; the main problem is ethics. Many security professionals are CISSPs, and, as such, we are bound to keep to a certain ethical standard. The question has arisen, and continues to arise, as to whether or not trapping hackers is ethical: the argument is that a honeypot can be considered entrapment because it entices hackers. However, I and many other security professionals, feel that the situation more closely mirrors that of locking your door but installing security cameras to monitor what happens should someone break in.Although he did not invent honeypots, Lance Spitzner is the person most closely associated with their use, research and development, as the founder of the Honeynet Project. In his 2003 whitepaper on the subject, he said that a honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. In other words, unlike most other security-related tools (IDS for example), honeypots do not solve specific problems; rather, like network scanners (another tool the original use of which was considered controversial), their purpose is research.A basic honeypot can be set up very easily; you monitor your Internet-side IDS for traffic that you feel is suspicious and might warrant further investigation, and then you set up a virtual network and redirect future traffic of that type to it. Obviously, you need to be very careful to make sure that an attacker can’t get to your real network from the honeynet, i.e. that there are no routes back through your firewall or whatever you’re hanging the honeynet off from. This includes any sort of vpn, of course. Probably the most important thing to set up on a honeypot is monitoring. A honeypot is a research tool, and it’s useless for that purpose unless you can see what the attacker is doing. Since many attackers try to cover their tracks by erasing logs and history, you’ll need to set up shadow logs, and forward them to a “safe” host, so that the attacker can’t erase his steps. I’ll continue on in more depth next time, but in the meantime, I’d like to leave you with a great article by Dark Reading on the subject of honeypots. The bottom line is that they’re not a good idea for everybody, but if you have reason to think someone is heavily attacking your network, it’s a good idea to know what they might do if they think they’ve succeeded.

Morning Roundup

Business headlines from Crain's Cleveland Business and other Ohio newspapers — delivered FREE to your inbox every morning. Sign up for the Morning Newsletter.